How the Equifax Breach Went from Bad to Worse – and How to Avoid the Same Mistakes

How the Equifax Breach Went from Bad to Worse – and How to Avoid the Same Mistakes

With as many as 143 million consumers impacted – representing roughly 40 percent of the U.S. population – the fallout from the recent Equifax breach promises to be nothing short of staggering.

While a compromise of this magnitude is a somewhat rare occurrence, in fact smaller cyberbreaches occur all the time.

According to PYMNTS.com, one of the world’s top cybersecurity consulting firms, Deloitte, just announced a recent breach that compromised “sensitive corporate data,” including emails and company plans of some of the world’s “biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.”

Millions of Records Compromised Each Year

USA Today reports that more than 825 million personal records were exposed in data breaches from 2006 to 2016, according to the Identity Theft Resource Center. A 2017 Javelin Strategy & Research study reveals that a record 15.4 million U.S. consumers became identify fraud victims in 2016 alone – with losses totaling $16 billion for the year.

“Any organization can be impacted by a cyberbreach at a given point in time,” said Paul Love, chief information security officer for CO-OP Financial Services. “This is why, as a credit union, it is so important to keep pace with advancements in security technology.”

But the bigger lesson learned from Equifax, Love says, is to have incident response processes in place, with legal counsel, communications and marketing teams all working and communicating in a coordinated manner.

“The Equifax response shows a lack of preparedness, and the company’s reputation is suffering even more as a result,” he said.

For example, when the cyberbreach was first announced, Equifax directed consumers to a website where they could verify whether or not they were impacted. “The mismanagement of this site has only compounded the company’s problems,” he said.

Initially, he notes, the website itself was flawed. “Once registered with the site, consumers were greeted with ‘terms of service’ stipulating that they wouldn’t participate in a class action lawsuit,” said Love.

This phrase was quickly modified to exclude the massive breach.

The site was also delivering inconsistent results to consumers when they checked on their status, said Love, adding that Krebsonsecurity.com launched an investigation into this issue.

“What they found is that some people who visited the site using a laptop were told they were not impacted – only to be told just the opposite when they checked the site using a mobile device,” he said.

The confusion continued when an Equifax employee mistakenly tweeted the wrong URL to concerned consumers.

“Not only did this error steer people to the wrong verification site,” said Love. “But the domain tweeted also turned out to be a phishing site set up to capture the personal data of unsuspecting visitors.”

Planning for an Attack

So what should credit unions do today to prepare for a potential cyberbreach?

“They need to secure internal systems by patching them in a timely manner and using advanced fraud detection tools, including neural networks and new machine learning solutions like the platform in development at CO-OP,” he said. “Equally important, credit unions need to be ready with a well-thought-out incident response plan that has its employees communicating the same, consistent messages to members and other stakeholders to keep them informed.”

Credit unions should also advise members on the extra measures they can take to safeguard their accounts.

“The most important step for members to take is to freeze their credit with all four bureaus, including Equifax, Experian, TransUnion and Innovis,” said Love.

They should monitor their credit frequently, he adds, and sign up for alert services across both cards and accounts.

“CO-OP’s CardNav mobile security app helps tremendously by alerting members to card activity and allowing them to stipulate exactly when, how and where their cards can be used,” he said.

Love also advises credit unions to educate members about phishing scams. “They should know not to directly click on emailed links, especially those asking for login credentials,” he said.

He continued, “This breach is so extensive we should all assume we have been affected, whether the Equifax site indicates this or not. Preventing an attack like this at your credit union takes a lot of diligence – but that is what members expect. If the unthinkable occurs, follow your plan, communicate well and contain the damages as quickly as you can.”